aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

doc: Move the definition of modifier keywords to the introduction

Browse Source
pull/3062/head
Ralph Broenink 7 years ago committed by Victor Julien
parent dfae19247d
commit 11990c7117
2 changed files with 30 additions and 14 deletions
Show Stats Download Patch File Download Diff File

21
doc/userguide/rules/http-keywords.rst
Unescape Escape View File

@ -10,24 +10,17 @@ capabilities at the application layer. More information can be found at
specific parts of the network traffic. For instance, to check specifically on specific parts of the network traffic. For instance, to check specifically on
the request URI, cookies, or the HTTP request or response body, etc. the request URI, cookies, or the HTTP request or response body, etc.
Types of modifiers All HTTP keywords are modifiers. Note the difference between content modifiers
------------------ and sticky buffers. See :ref:`rules-modifiers` for more information. As a
refresher:
There are 2 types of modifiers. The older style 'content modifiers' look back in the rule.
Example::
alert http any any -> any any (content:"index.php"; http_uri; sid:1;) * **'content modifiers'** look back in the rule, e.g.::
In the above example the pattern 'index.php' is modified to inspect the HTTP uri buffer. alert http any any -> any any (content:"index.php"; http_uri; sid:1;)
The more recent type is called the 'sticky buffer'. It places the buffer name first and all keywords following it apply to that buffer.
Example::
alert http any any -> any any (http_response_line; content:"403 Forbidden"; sid:1;) * **'sticky buffers'** are placed first and all keywords following it apply to that buffer, for instance::
In the above example the pattern '403 Forbidden' is inspected against the HTTP response line because it follows the ``http_response_line`` keyword. alert http any any -> any any (http_response_line; content:"403 Forbidden"; sid:1;)
The following request keywords are available: The following request keywords are available:

23
doc/userguide/rules/intro.rst
Unescape Escape View File

@ -226,3 +226,26 @@ meaning of the rule.
As a consequence, you must also escape the backslash, as it functions As a consequence, you must also escape the backslash, as it functions
as an escape character. as an escape character.
The rest of this chapter in the documentation documents the use of the various keywords.
Some generic details about keywords follow.
.. _rules-modifiers:
Modifier Keywords
~~~~~~~~~~~~~~~~~
Some keywords function act as modifiers. There are two types of modifiers.
* The older style **'content modifiers'** look back in the rule, e.g.::
alert http any any -> any any (content:"index.php"; http_uri; sid:1;)
In the above example the pattern 'index.php' is modified to inspect the HTTP uri buffer.
* The more recent type is called the **'sticky buffer'**. It places the buffer name first and all keywords following it apply to that buffer, for instance::
alert http any any -> any any (http_response_line; content:"403 Forbidden"; sid:1;)
In the above example the pattern '403 Forbidden' is inspected against the HTTP response line because it follows the ``http_response_line`` keyword.

Write Preview
Loading…
Cancel
Save